CVE-2025-2221
Published: 14 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-2221 is a time-based SQL injection vulnerability in the WPCOM Member plugin for WordPress, affecting all versions up to and including 1.7.6. The flaw occurs via the 'user_phone' parameter due to insufficient escaping of user-supplied input and lack of sufficient preparation in the existing SQL query, as evidenced in the plugin's class-sesstion.php file at line 35.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction required, consistent with its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and association with CWE-89. Exploitation enables attackers to append additional SQL queries to existing ones, allowing extraction of sensitive information from the database.
Wordfence's threat intelligence advisory provides further details on the vulnerability. A patch addressing the issue is available via changeset 3255171 in the WordPress plugins trac repository.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a remote unauthenticated SQL injection in a public-facing WordPress plugin, directly enabling exploitation of the web application to extract database data.